问题
I am trying to authenticate user by Azure AD using WS-federation.
I've implemented multiple authentication schemes and redirect the user to the respective schemes using Challenge().
return Challenge(new AuthenticationProperties { RedirectUri = "http://localhost:57826/Account/AzureADLogin"}, authenticationScheme);
This can redirect me to the Microsoft login page and after successful login, it redirects me to the action method AzureADLogin().
But somehow in AzureADLogin(), I could not able to get logged in user identity(User.Identity.Name) in this method. I'm receiving empty claims in the response.
Also in the Azure AD RedirectURIs is set to "http://localhost:57826/Account/AzureADLogin".
Does anyone has idea what I'm doing wrong or missing something?
回答1:
I just battled this for over 3 days, and I spent several days troubleshooting and rewriting my app when I first noticed this problem in March. In my case, I have a .Net 4.5.2 app that had worked for years when using WSFederation and OWIN to login to Azure AD. However, an update to the server Win 2016 occurred in March 2020 that broke the signin. Every single time the place I got the logged-in User Name was blank in System.Web.HttpContext.User.Identity.Name, and it had been populated each time before the update. I traced it back to in update of KB4537764 on Server 2016. (FYI for anyone else the updates for 2012 are KB4532946 and KB4532940) If I removed the update, the signin worked. Applying the update again broke it. I googled for KB4537764 until I was blue in the face and always came up empty. It wasn't until I researched what KB4537764 actually did - it mentions a fix for SameSite - that I found what I needed to do to fix it and have the update installed on the server.
- Update all OWIN versions to 4.1.0 in Nuget Package Manager
You need to configure the app to use SystemWebCookieManager. Add this in startup.cs. I made it the first line in Configuration(IAppBuilder app)
app.UseCookieAuthentication(new CookieAuthenticationOptions { // ... CookieManager = new SystemWebCookieManager() });- Add using Microsoft.Owin.Host.SystemWeb and using Microsoft.Owin.Security.Cookies in Startup.cs for the above code.
In my PageAuthorize class I make the SSO call if System.Web.HttpContext.Current.User.Identity.Name is blank:
public class PageAuthorize : AuthorizeAttribute {
private readonly string[] allowedroles; public PageAuthorize(params string[] roles) { this.allowedroles = roles; } protected override bool AuthorizeCore(HttpContextBase httpContext) { bool authorize = false; if (System.Web.HttpContext.Current.User.Identity.Name=="") { System.Web.HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "https://mysite/Home/LoggedIn" }, WsFederationAuthenticationDefaults.AuthenticationType); authorize = true; } else { foreach (var role in allowedroles) { int intLoginId; string staffName; sysRole sysRole; var _staffService = DependencyResolver.Current.GetService<IStaffService>(); LoginMySelf me = new LoginMySelf(_staffService); var Login = me.DetermineLogin(out intLoginId, out staffName, out sysRole); //set session vars var _sessionManagerService = DependencyResolver.Current.GetService<ISessionManagerService>(); string strSess = _sessionManagerService.SetLoginSessionVars(Login, intLoginId, "SSO", sysRole.RoleName, staffName, Convert.ToInt32(sysRole.AccessLevelValue)); System.Web.HttpContext.Current.Session["RoleName"] = sysRole.RoleName; System.Web.HttpContext.Current.Session["StaffName"] = staffName; if (role == sysRole.RoleName) { authorize = true; } } } return authorize; } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { HttpContext.Current.Response.Redirect("~/Home/NotAuthorized"); }}
Now the System.Web.HttpContext.Current.User.Identity.Name always contains my username as expected.
Here are references I used to isolate and fix the problem: -https://github.com/aspnet/AspNetKatana/issues/324 -https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
Hope this helps you and others with this. This was absolutely maddening to diagnose but the fix was simple!
来源:https://stackoverflow.com/questions/60428993/getting-null-identity-while-authenticating-user-via-azure-ad-authentication